10 Tips for Creating Strong Passwords

"Use a strong password" is advice everyone hears—but what does it actually mean in practice? This guide walks through 10 concrete techniques that security professionals use, with examples and tools so you can implement them today. By the end, you'll generate uncrackable passwords with confidence.

What You'll Learn

• The decisive difference between passwords cracked in seconds vs. centuries
• How to create memorable yet unbreakable passphrases
• Advanced techniques that turn attacker tactics against them
• Specific tools to put each tip into practice immediately

The single biggest factor in password strength is length—not complexity. Adding characters increases strength exponentially, far more than adding character types.

Length in Numbers

• 8 chars (mixed): ~2 hours to brute force
• 12 chars (mixed): hundreds of years
• 16 chars (mixed): trillions of years
• 20 chars (mixed): longer than the universe has existed

For online banking and primary email, target 16+ characters, ideally 20.

If random strings feel unmemorable, passphrases are a lifesaver. Pick 4–6 unrelated words from the EFF wordlist.

Example: `correct-horse-battery-staple` (38 chars, ~77 bits entropy)

This kind of four-word combo is:

• Cryptographically uncrackable
• Easy to remember through visual imagery
• Quick to type

Basiccalculatoronlinepro's password generator includes a passphrase mode that follows the same standards.

Including uppercase, lowercase, digits, and symbols multiplies the keyspace dramatically.

The Multiplication Effect

For 12-character passwords:

• Lowercase only: 26^12 = 9.5×10^16
• Letters + digits: 62^12 = 3.2×10^21 (~30,000× larger)
• All four types: 95^12 = 5.4×10^23 (~5.7M× larger)

Choosing Symbols Wisely

Avoid: !@ (most common in attack dictionaries)

Prefer: ~`#$%^&*()-_=+[]{};':",.<>?/| (less frequent in dictionaries)

Attackers thoroughly research targets via social media, blogs, and public records, building custom dictionaries.

Information to Avoid Absolutely

• Birthdays (yours, family, partner)
• Names and nicknames
• Pet names
• Schools or employers
• Addresses or postal codes
• Phone numbers
• Favorite sports teams or artists
• Anniversaries

All of these populate "social engineering dictionaries" tried first in targeted attacks.

This rule supersedes all others. A password leaked from one site is automatically tested across hundreds of others (credential stuffing).

Real-World Impact

According to a 2022 Norton report, 62% of breach-related fraud stems from credential reuse. A single weak hobby-site password can be the trigger that takes down your bank account.

The Solution

Use a unique password per site, managed through a password manager. You only need to memorize one master password.

A password manager is the only realistic way to maintain unique passwords for every site.

Top Options

Bitwarden (free, open source): Transparent, audited, fully featured free tier.

1Password (paid): Polished UX, family plans, travel mode, advanced sharing.

KeePassXC (free, open source): Local storage only—maximum privacy.

iCloud Keychain / Google Password Manager: Built-in to ecosystems—solid baseline.

Crafting the Master Password

The one password you must memorize. Use a 20+ character passphrase.

The old rule of "change every 90 days" is now retired. Current NIST guidance discourages mandatory rotation.

When to Actually Change Passwords

• Breach notification: Immediately
• Lost device: All affected accounts
• End of shared access: Ex-coworker, ex-partner
• Possible exposure on public Wi-Fi

Forced rotation often produces predictable patterns (Password1 → Password2), reducing security overall.

Dictionary attacks combine common words with simple substitutions (leet speak: a→@, e→3).

Effective Defenses

• Never use raw dictionary words
• Combine unrelated words (passphrase technique)
• Don't trust leet substitutions: "P@ssw0rd" cracks instantly
• Generate truly random strings with a tool

Even the strongest password can leak via phishing. 2FA is your last line of defense.

2FA Strength Hierarchy

1. Hardware keys (YubiKey, etc.): Strongest, phishing-resistant

2. Authenticator apps (Authy, Google Authenticator): Very strong

3. Push notifications: Strong (with locked device)

4. SMS: Weakest, but vastly better than none

Accounts That Must Have 2FA

• Primary email (gateway to all resets)
• Password manager
• Banking, brokerage, crypto
• Major social accounts
• Cloud storage

Human brains are terrible at randomness. Self-invented passwords always show patterns.

Generator Advantages

• Cryptographically secure RNG (CSPRNG)
• Zero human bias
• Full control over length and character sets
• Instant results

Why Basiccalculatoronlinepro's Generator

The [free password generator](/en/password-generator) runs entirely in your browser:

• Nothing transmitted to any server
• Fine-grained control of character sets, length, exclusions
• Passphrase mode included
• Built-in strength meter
• Bulk generation supported

1. Change main email password to 20 characters

2. Install a password manager

3. Set master password (passphrase style)

4. List out all reused passwords

5. Strengthen 10 most critical accounts in order

6. Enable 2FA on each

7. Run a Have I Been Pwned check

8. Delete browser-stored passwords (migrate to manager)

9. Close inactive old accounts

10. Share these practices with family

Strong passwords aren't magic spells—they're the consistent application of a few simple principles: length, randomness, uniqueness, and the right tools. Apply these and you'll block 99%+ of automated attacks.

Security isn't hard. With modern password managers and generators, it's actually easier than ever. Start with one account today.

Related Articles

• [Password Security Basics](/en/blog/password-security-basics)
• [Complete Guide to Password Managers](/en/blog/password-manager-guide)
• [Two-Factor Authentication: Why and How](/en/blog/two-factor-authentication)
• [Cybersecurity Basics](/en/blog/cybersecurity-basics)